A set of critical security vulnerabilities, collectively termed PixieFail, has been revealed in the TCP/IP network protocol stack of the Unified Extensible Firmware Interface (UEFI) specification. These vulnerabilities, numbering nine, are located in the TianoCore EFI Development Kit II (EDK II) and have the potential to expose modern computers to severe risks, including remote code execution (RCE), denial-of-service (DoS), DNS cache poisoning, and leakage of sensitive information. The flaws impact UEFI firmware from major manufacturers such as AMI, Intel, Insyde, and Phoenix Technologies. The EDK II incorporates a TCP/IP stack called NetworkPkg, enabling network functionalities during the initial Preboot eXecution Environment (PXE) stage.
Quarkslab, the entity responsible for discovering PixieFail, identified a range of vulnerabilities within the EDK II’s NetworkPkg. These include overflow bugs, out-of-bounds reads, infinite loops, and the use of a weak pseudorandom number generator (PRNG). The weaknesses in the protocol stack can lead to attacks such as DNS and DHCP poisoning, information leakage, DoS, and data insertion at both the IPv4 and IPv6 layers. The impact and exploitability of these vulnerabilities depend on specific firmware builds and the default PXE boot configuration, according to the CERT Coordination Center (CERT/CC).
The list of vulnerabilities identified in PixieFail includes issues such as an integer underflow, buffer overflows, out-of-bounds read, infinite loops, and the use of a weak PRNG. These vulnerabilities pose serious threats and could allow attackers within the local network, and potentially remotely in specific scenarios, to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information. CERT/CC recommends organizations to transition to secure-by-design systems and implement a zero-trust framework for UAS fleets, along with a supply chain risk management program for all information and communication technology devices.